A customer was testing various scan scenarios in which the eicar test virus was embedded in a zip file and also some spreadsheet (xlsx) files.  When the test files were uploaded to the file repository two of the *.xlsx files were not detected as infected when the scan request was sent to the Protection Engine server. Those same files was detected and deleted by SEP when copied to a local hard drive.

When those same *.xlsx files were passed to the SPE server via the ICAP test scanner, ssecls, the infections were also not detected by SPE.

The component of Protection Engine responsible for extracting and scanning "container" files such as zip, xlsx, docx etc is called the "decomposer" which is a feature of the Stargate engine employed by SPE to process scan requests.  Stargate is updated periodically and maintains backward compatibility with supported versions of Protection Engine.   In this case the version of Protection Engine currently installed was version 8.0 which had reached End-Of-Support in October, 2021. It is likely the version of Stargate on the server (which was also older) was not handling the newer container file methods.

Upgrading SPE to version 9.1 (current version as of this publication) resolved the problem. All test viruses were detected when scanned again after upgrading. It is important to keep Protection Engine updated with a supported version.